Talks and Presentations#

• Invited Talk for Team Bi0s - Argument Injection - Video & Slides
• HITB GSEC 2018 - Surprise Rant 2.0 Video
• OffensiveCon 2018 - Surprise Rant Video
• Ekoparty 2016 - Let Me GitHub That For You (2016 Argentinian Edition) Video
• Hacktivity 2015 - Your Web app, those hackers & you Video
• HackPra 2015 - Bug Tales Video
• Hackito Ergo Sum 2014 - Ruby on Rails exploitation and effective backdooring
• t2-2013 - <3 Ruby on Rails <3
• HITB Amsterdam 2013 - Attacking Ruby on Rails Applications
• ZeroNights 2012 - They told me I could be anything, so I became BAh7BkkiDHVzZXJfaWQGOgZFVGkG
• HITB Malaysia 2011 - Building and Breaking Ruby on Rails
• Hackito Ergo Sum 2011 - Ruby On Rails From A Code Auditor’s Perspective Video part 1 part 2 part 3
• Berlinsides 2010 - Ruby On Rails From A Code Auditor’s Perspective

Blogposts#

GitLab#

• Git security audit: Inside the hunt for - and discovery of - CVEs
• Terraform as part of the software supply chain
• A brief look at Gitpod, two bugs, and a quick fix
• Switching “sides” in security
• How to play GitLab’s Capture the Flag at home
• How to exploit parser differentials
• Shopping for an admin account via path traversal

Recurity Labs#

• KNX, %s and a backdoor
• Compromise On Checkout - Vulnerabilities in SCM Tools
• dRuby for Penetration Testers
• At Least, I got DoS

Phenoelit#

• TL;DR: Just another way to get RCE in i2p version 0.9.13.
• Ruby on Rails Default Token Database
• MySQL madness and Rails
• Let Me Github That For You
• A worst practice in Ruby on Rails

Papers#

• Attacking Ruby on Rails Applications - Phrack 69
• A Vulnerability in Reduced Dakarand from PoC||GTFO 01:02 - PoC||GTFO 02:09

Trainings#

• Source Code Auditing Like a Ninja - HITB GSEC Singapore 2018
• Source Code Auditing Like a Ninja - HITB Amsterdam 2018
• Ruby on Rails – Auditing & Exploiting the Popular Web Framework - OWASP AppSec EU 2015
• Ruby on Rails – Auditing & Exploiting the Popular Web Framework - OWASP AppSec USA 2014

Other#

• Founding member of das Labor a Hackerspace in Bochum
• Review panel member for THREAT CON since 2018